4. www.tusconsultoreslegales.com [email_address] 1. COMPANY OBJECTIVES AND LEGAL PLANNING Let us imagine that a company has the following objectives: 1- Managing, finalising and launching the development of a new product 2- Ensuring that the development information remains confidential by previously assessing the risks 3- Ensuring good governance practices, detecting which policies are necessary to guarantee the information 4- Deciding which information systems are suitable based on the specific needs of the product/business 5- Assessing the actions to be performed through the company's external means of communication
5. www.tusconsultoreslegales.com [email_address] 2. LEGAL PLANNING AND TECHNICAL IMPLEMENTATION Continuing with the example, once the business objectives are known together with the legal perspective: 1- Detecting the intangible assets which will increase the business/product value 2- Assessing the implications of subcontracting development of the project where appropriate 3- Detecting the sensitive points for information leaks (internal staff, communication formats and media, both internal and external) 4- Assessing policies such as the use of e-mail, social networks, remote access, mobile and portable devices through which the information circulates and where it is stored, assessing biometric solutions if the information is very sensitive, whether it is useful to have digital signature certificates to preserve compromising information (using encryption solutions) In other words, how the formats are managed and how information is transported
6. www.tusconsultoreslegales.com [email_address] 3. TECHNICAL IMPLEMENTATION AND COMPANY OBJECTIVES Once the best alternative for managing formats and assessing information transport has been decided: 1- Specifying the development and implementation stages based on the objectives and the budget which needs to be invested in each development stage so as to minimise risks 2- From the technical measures which it has been decided to implement to minimise risks, detecting with the EVA (Economic Value Added) whether the value of the assets is ensured (accurate valuation of tangible and intangible assets) so as to optimise risk management and create value.
7.
8. www.tusconsultoreslegales.com [email_address] 5. IDENTIFYING RISKS: AVOIDING CRIMINAL LIABILITIES But what risks should be taken into account and in what type of situation: 1- Analysing and evaluating the physical and logical security measures which have not been implemented and/or are not current (risk of leak from databases or information not properly protected, leaked project information) 2- Formats which are not suitably protected (information leaks in formats are the most common) 3- Not detecting identity theft (another person other than the employee making negative comments about the company on social networks or carrying out criminal conduct) 4- Unencrypted communication channels (modification and listening to confidential information when transported) 5- Availability of self control measures for accessing information (where appropriate) on users by users themselves (making it possible to detect unauthorised access to confidential, personal and private information). 6- Risk of theft of media, laptops or mobile devices. Information must only be available to users or control authorities and Government law enforcement agencies.
9.
10.
11.
12. www.tusconsultoreslegales.com [email_address] 9. CONCLUSIONS As conclusions, we can highlight the following: 1- Valuing the assets (tangible and intangible) for developing the business/product 2- A business/product development project cannot be planned with confidential sensitive information without having conducted a risk analysis 3- The authenticity, confidentiality, integrity, availability, non-repudiation and auditing of the information must be guaranteed throughout the information life-cycle Planning for the implementation of technical tools cannot be carried out without previous legal assessment and the legal assessment must take into account the BUSINESS OBJECTIVES so as to create value.